# Contributor: Leo <thinkabit.ukim@gmail.com>
# Contributor: Łukasz Jendrysik <scadu@yandex.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mbedtls
pkgver=3.6.2 # long-time support branch
pkgrel=0
_framework_commit=d9a70c758a5a511020240bbcc86f6d647d64fe96
pkgdesc="Light-weight cryptographic and SSL/TLS library"
url="https://www.trustedfirmware.org/projects/mbed-tls/"
arch="all"
license="Apache-2.0 OR GPL-2.0-or-later"
makedepends="cmake perl python3 samurai"
subpackages="$pkgname-static $pkgname-dev $pkgname-utils"
source="$pkgname-$pkgver.tar.gz::https://github.com/ARMmbed/mbedtls/archive/v$pkgver.tar.gz
	$pkgname-framework-$_framework_commit.tar.gz::https://github.com/Mbed-TLS/mbedtls-framework/archive/$_framework_commit.tar.gz
	gcc14.patch
	"

# Track security issues
# https://mbed-tls.readthedocs.io/en/latest/security-advisories/

# secfixes:
#   3.6.2-r0:
#     - CVE-2024-49195
#   3.6.1-r0:
#     - CVE-2024-45157
#     - CVE-2024-45158
#     - CVE-2024-45159
#   2.28.8-r0:
#     - CVE-2024-28960
#   2.28.7-r0:
#     - CVE-2024-23170
#     - CVE-2024-23775
#   2.28.5-r0:
#     - CVE-2023-43615
#   2.28.1-r0:
#     - CVE-2022-35409
#   2.16.12-r0:
#     - CVE-2021-44732
#   2.16.8-r0:
#     - CVE-2020-16150
#   2.16.6-r0:
#     - CVE-2020-10932
#   2.16.4-r0:
#     - CVE-2019-18222
#   2.16.3-r0:
#     - CVE-2019-16910
#   2.14.1-r0:
#     - CVE-2018-19608
#   2.12.0-r0:
#     - CVE-2018-0498
#     - CVE-2018-0497
#   2.7.0-r0:
#     - CVE-2018-0488
#     - CVE-2018-0487
#     - CVE-2017-18187
#   2.6.0-r0:
#     - CVE-2017-14032
#   2.4.2-r0:
#     - CVE-2017-2784

prepare() {
	default_prepare

	# TF-PSA-Crypto and Mbed TLS version-independent build and test framework
	rmdir "$builddir"/framework
	mv "$srcdir/$pkgname-framework-$_framework_commit" "$builddir"/framework

	# Enable flags for non-embedded systems.
	python3 scripts/config.py set MBEDTLS_THREADING_C
	python3 scripts/config.py set MBEDTLS_THREADING_PTHREAD
}

build() {
	cmake -B build -G Ninja \
		-DCMAKE_BUILD_TYPE=MinSizeRel \
		-DCMAKE_INSTALL_PREFIX=/usr \
		-DCMAKE_INSTALL_LIBDIR=lib \
		-DUSE_SHARED_MBEDTLS_LIBRARY=ON \
		-DENABLE_TESTING="$(want_check && echo ON || echo OFF)"
	cmake --build build
}

check() {
	cd build
	# tests break in parallel
	ctest -j1
}

package() {
	DESTDIR="$pkgdir" cmake --install build
}

utils() {
	pkgdesc="Utilities for mbedtls (including gen_key / cert_write)"

	mkdir -p "$subpkgdir"/usr
	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}

static() {
	pkgdesc="Static files for mbedtls"

	mkdir -p "$subpkgdir"/usr/lib
	mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib/
	chmod -x "$subpkgdir"/usr/lib/*.a
}

sha512sums="
ad5a8de072cd7bede21378a3301d8de7c4eec8e113ebe2a3ffe5bf8ebed1b236a52ae0425abe45eafdc534af65b51076ca458e342950174bf1bdbbc06d1bdad1  mbedtls-3.6.2.tar.gz
1ee67f1c24a5b0dfc187fba377da9d8e799dc9976019cba4b2f75d49e2f82a62c6f72b56f42c02ad942e5e9202e0b81cf24e50355018f6ad80a6ab6579d2ec88  mbedtls-framework-d9a70c758a5a511020240bbcc86f6d647d64fe96.tar.gz
3c07e8f773295a08b1f215b64f1f62e194ec4fa54b6485107a3db0d731e12df1a88321852dd5caeb5f1f4931695168c9618f316cfecfd92c42c88f610285cef6  gcc14.patch
"
